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Abstract. In this paper we deal with verification of safety properties 
of parameterized systems with a tree topology. The verification problem 
is translated to a purely logical problem of finding a finite countermodel 
for a first-order formula, which further resolved by a generic finite model 
finding procedure. A finite countermodel method is shown is at least as 
powerful as regular tree model checking and as the methods based on 
^*^ ■ monotonic abstraction and backwards symbolic reachability. The prac- 

^ ' tical efficiency of the method is illustrated on a set of examples taken 



from the literature. 



1 Finite Countermodel Method 



^ I The development of general automated methods for the verification of infinite- 



state and parameterized systems poses a major challenge. In general, such prob- 
lems are undecidable, so one cannot hope for the ultimate solution and the 

ly^ ' development should focus on the restricted classes of systems and properties. 

In this paper we deal with a very general method for verification of safety 

(^ • properties of infinite-state systems which is based on a simple idea. If an evolu- 

tion of a computational system is faithfully modeled by a derivation in a classical 
first-order logic then safety verification (non-reachability of unsafe states) can 
be reduced to the disproving of a first-order formula. The latter task can be 

. , ■ (partially, at least) tackled by generic automated procedures searching for finite 

r> ' countermodels. 

jrt ' Such an approach to verification was originated in the research on formal ver- 

ification of security protocols f |23l22l9lllll0| ) and later has been extended to the 
wider classes of infinite-state and parameterized verification tasks. Completeness 
of the approach for particular classes of systems (lossy channel systems) and rel- 
ative completeness with respect to general method of regular model checking has 
been established in [17] and [18] respectively. The method has also been applied 
to the verification of safety properties of general term rewriting systems and its 
relative completeness with respect to the tree completion techniques has been 
shown in [19) . 

In this paper we continue investigation of applicability of the method and 
show its power in the context of verification of safety properties of parameter- 
ized tree-like systems. We show the relative completeness of FMC methods with 



respect to regular tree model checking [3] and with respect to the methods based 
on monotonic abstraction and symbohc backwards reachabihty analysis 15^. 

1.1 Preliminaries 

We assume that the reader is familiar with the basics of first-order logic. In par- 
ticular, we use without definitions the following concepts: first-order predicate 
logic, first-order models, interpretations of relational, functional and constant 
symbols, satisfaction M \= ip oi a formula (^ in a model M, semantical con- 
sequence (p \= tjj, deducibility (derivability) h in first-order logic. We denote 
interpretations by square brackets, so, for example, [/] denotes an interpretation 
of a functional symbol / in a model. We also use the existence of complete finite 
model finding procedures for the first-order predicate logic |7l20j . which given 
a first-order sentence ip eventually produce a finite model for ip if such a model 
exists. 



2 Regular Tree Model Checking 

Regular Tree Model Checking (RTMC) is a general method for the verification 
of parameterized systems that have tree topology [3 16) . The definitions of this 
section are largely borrowed from [3] . 

2.1 Trees 

A ranked alphabet is a pair {S,p), where i7 is a finite set of symbols and p : 
S — >■ Nat is an arity mapping. Let Sp denote the set of symbols in S of arity 
p. Intuitively, each node of a tree is a labeled with a symbol from S and the 
out-degree of the node is the same as the arity of the symbol. 

Definition 1. A tree T over a ranked alphabet {S,p) is a pair (5, A), where 

— S, called tree structure, is a finite set of finite sequences over Nat. Each 
sequence n in S is called a node ofT. S is prefix-closed set, that is, if S con- 
tains a node n = 6162 . . . bk, then S also contains the node n' = 6162 • • • ^fc-i 
and the nodes Ur = 6162 . . . b^-ir, for r : < r < bk- We say that n' is a 
parent of n, and that n is a child of n' . A leaf of T is a node n which does 
not have any child. 

— X is a a mapping from S to S. the number of children of n is equal to p{X{n)). 
In particular, if n is a leaf then A(n) G Sq. 

We use T{U) to denote the set of all trees over U. We write n ^ T when 
n G S and f G T denotes that X{n) = f for some n e T. For a tree T — {S, X) 
and a node n £ T, a subtree of T rooted at n is a tree T' — (S",A„), where 
S' Q {b \ nb G S} and A„(6) = X{nb). Notice, that according to this definition a 
subtree of a tree T consists not necessarily all descendants of some node in T. 



For a ranked alphabet S let U'(m) be the ranked alphabet which contains 
all tuples (/i, . . . , fm) such that m> I and /i, . . . , /,« £ ^p for some p. We put 
p((/i,.-.,/™))=p(/i). 

For trees Ti — {Si, Ai) and T2 — {S2, A2) we say that Ti and T2 are struc- 
turally equivalent, if Si = 5*2. 

Let Ti = (5, Ai), . . . ,Tto = (5, A^) are structurally equivalent trees. Then 
Ti X . . . X T„j denotes the tree T = {S, A) where A(n) = (Ai(n), . . . , Am(n)). 

2.2 Tree Automata and Transducers 

A tree language is a set of trees. 

Definition 2. A tree automaton over a ranked alphabet S is a triple A = 
(Q,F,d), where Q is a finite set of states, F C Q is a set of final states, 
and S is a transition relation, represented by a finite set of rules of the form 
(gi, . . . , Qp) -^f q, where f e Sp and qi, . . . qp,q e Q. 

A run r of A on a tree T — {S, A) G T{S) is a mapping from S to Q such that 
for each node n ^ T with children ni, . . . , Uk'- {r{ni, . . . , r{nk)) — J^^'"' ''"i^)) £ ^■ 

For a state q ^ S we denote by T ^^ q that r ia run of A on T such that 
r(e) = q. We say that A accepts T if T ^^ q for some run r and some q £ F. 
The language of trees accepted by an automaton A is defined as L{A) = {T | 
T is accepted by A}. The tree language L is called regular iff there is a tree 
automaton A such that L — L{A). 

A tree automaton over an alphabet ^'(2) is called tree transducer. 

Let I? be a tree transducer over an alphabet S'{2). 

An one-step transition relation Rjj C T(Z') x T(Z') is defined as R^ = 
{{T,T') \ T X T' is accepted by D}. The refiexive and transitive closure of Rd 
is denoted by R}^. 

We use o to denote the composition of two binary relations defined in the 
standard way. Let R^ denote the ith power of R i.e. i compositions of R. Then 
we have R* = Ui>oR\ 

For any L C T{E) and R C T{S) x T{U) we denote by i • i? the set 
{y\3xix,y)eLxTiE)nR}. 

Regular Tree Model Checking deals with the following basic verification task. 

Problem 1. Given two tree automata Ai and Ajj over an alphabet E and a tree 
transducer D over S'{2). Does {L{Ai)-kR*^) n L{Au) = hold? 

In verification scenario, trees over S denote states of the system to be verified, 
tree automata Ai and Au define the sets of trees representing initial, respectively, 
unsafe states. Tree transducer D defines the transitions of the system. Under 
such assumptions, the positive answer to an instance of Problem [T] means the 
safety property is established, namely, none of the unsafe states is reachable 
along the system transitions from any of the initial states. 

The verification in RTMC proceeds by producing a tree transducer TR ap- 
proximating R*j-, from above, that is R*jj C L{TR), and showing the emptiness 
of the set (L(A/) * L(TR)) n L{Au) 



3 From RTMC to FMC 

In this section we show that the generic regular tree model checking question 
posed in Problem [1] can be reduced to a purely logical problem of finding a 
finite countermodel for a first-order logic formula, which then can be resolved 
by application of generic model finding procedure. We show also the relative 
completeness of finite countermodel method with respect to RTMC. 

Assume we are given an instance of the basic verification problem (over rank- 
ing alphabet S), that is 

— a tree automaton Aj — {Qi,Fi,Si) accepting a regular set of initial states; 

— a tree automaton Au — {Qu, Fu, ^u) accepting a regular set of unsafe states; 

— a tree transducer D — {Qd, Fz),5d) representation one-step transition rela- 
tion Rd. 

Now define a set formulae of first-order predicate logic as follows. The vo- 
cabulary consists of 

— constants for all elements of Qi U Qjj U Qu U Eq; 

— unary predicate symbols Init^^\ Unsafe^^' 

— binary predicate symbols Init^, Unsafe^, R; 

— a ternary predicate symbol T; 

— a p-ary functional symbol fg for every 6 £ Up 

Given any tree r from T{S) define its term translation i^. by induction: 

— tr = c for a tree t with one node labeled by c G i^o; 

— tr = fe [tri , ■ ■ ■ jtr ) for a tree t with the root labeled hy 6 ^ Up and children 

Tl, . ..Tp. 

Let <P be the set of the following formulae, which are all assumed to be 
universally closed: 

1. Init'^^\a,q) for every a £ Sq, q £ Qj and -^"^ q in Sj; 

2. Init^'^\xi,qi) f\ . . . A Init^'^\xp,qp) -^ Init^'^\fg{xi, . . . ,Xp),q) for every 
((7i,...,gp) ->^ q in (5/; 

3. yg(zF^Init'-^\x,q) ^ Init'-^'^ix); 

4. Unsafe^'^^a, q) for every a & Sq, q & Qu and ->" q in Su', 

5. Unsafe^'^'{xi,qi) A . . . AUnsafe^'^\xp^qp) -^ Unsafe'-^^fg{xi, . . . ,Xp),q) 
for every (gi, . . . , qp) -^^ q in Su; 

6. \/q(=FuUnsafe^'^\x,q) -^ Unsafe'''^\x)] 

7. r(a, 6, q) for every -^^"-'^^ g in (J^; 

8. T{xi,yi,qi) A ... AT{xp,yp,qp) -^ T{fe,{xi, . . . ,Xp), fe^iyi, . . . ,yp),q) for 
every (gi, . . . , g^) ^^i'^^ q [n So; 

9. yqeFDT{x,y,q) -^ R{x,y); 

10. R{x,x); 

11. R{x, y) A R{y, z) -^ R{x, z). 



Proposition 1. (adequacy of Init and Unsafe translations) 
Ifre L{Ai) then <P h Init^'^\tr) 
Ifre L{Au) then 'P h Unsafe^^\tr) 

Proof. We prove only the first statement, the second one is dealt with in the 
same way. 

Lemma 1. For any tree r and any run r if t =>^ q then <1> h Init {tT,q). 

Proof of Lemma. By induction on the depth of the trees. 

— Induction Base Case. Assume r has a depth 0, that is consists of one vertex 
labeled by some a G X!a. Let r be a run such that r ^^ q. It follows (by 
the definition of run) that -^"^ q E Sj and then Init^'^\a, q) is in <1> (by clause 
1 of the definition of <1>) and therefore <!> h Init^'^\a,q) Finally notice that 
term translation i,- of r is a. 

— Induction Step Case. Assume r has a root labeled by € Sp and ti, . . . ,tp 
are children of the root. For a run r on r, assume r =>^ q and ti =>^ 
qi, . . . ,Tp =^^ g„. By the definition of a run we have {qi, . . . ,qp) — >^ q 
is in Si. By induction assumption we have (P h Init'^^^tr^Tqi), . . . ,'P \- 
Init'^'^\tr , qp). By using clause 2 of the definition of (p we get 

$h Init'^'^\fe{tr,,...,tr^),q) and <P \- Init^ {tr , q) □ 

Returning to the proof of the proposition we notice that if t e L{Ai) 
then there is a run r such that t\ q for some q £ Fj. By Lemma [1] ?? h 
\/q(zpjInit^^'>{tr,q). By using clause 3 of the definition of (p we then get <I> h 

Init^^Htr) 

Proposition 2. (adequacy of encoding) 

Ifre L{Ai)-kR}) then'PV- 3x Ini6^\x) A R{x,tr) 

Proof. Easy induction on the length of transition sequences. 

— Induction Base Case. Let r 6 L{Ai) C L{Ai) •i?^. Then ^ h Init^'^\tr) 
(by Proposition [T|) and, further <? h 3x Init^^\x) A R{x,tr) (using clause 
10). 

— Induction Step Case. Let r G i(^7) * R^^. Then there exists r' such that 
r' G i(^7) *^£) and R{t',t) holds. Further, by the argument analogous to 
the proof of Proposition^ R{t' , r) entails <? h Vq^FoTitr' ,tr,q) and further 
<I> h R{tr',tr) (using clause 9). from this, the clause 11 and the induction 
assumption (p \- 3x Init^^\x) A R{x,tr) follows. 

Assume r G L{Ai) -k R'^ then by definition of * there exists tq G L{Aj) such 
that R*jj{to,t) holds. 

Corollary 1. (correctness of the verification method) 

If<P\/3x3y{Init'^'^\x)AR{x,y)AUnsafe^^'>{y) then {L{Ai)i.R*jy)nL{Au) =0 



The corollary [T] serves as a formal underpinning of the proposed FCM (finite 
countermodel) verification method. In order to prove safety, that is {L{Aj) • 
R*jj) n L{Au) = it is sufficient to demonstrate <l> \f 3x3y{Init''^^ (x) A R{x, y) A 
Unsafe^-'-^y). In the FCM method we delegate this task to the generic finite 
model finding procedure, which searches for the finite countermodels for 
^ -^ 3x3y{Init^'^\x) A R{x,y) A Unsafe'^^^y). 

3.1 Relative completeness of FCM with respect to RTMC 

In general, searching for finite countermodels to disprove non-valid first-order 
formulae may not always lead to success, because for some formulae counter- 
models are inevitably infinite. Here we show, however, this is not the case for 
the first-order encodings of the problems which can be positively answered by 
Regular Tree Model Checking. It follows then that FCM is at least as powerful in 
establishing safety as RTMC, provided a complete finite model finding procedure 
is used. 

Theorem 1. (relative completeness of FCM) Given an instance of the basic 
verification problem for RTMC, that is two tree automata Aj and Ajj over an 
alphabet S and a tree transducer D — {QdtFu^Sd) over S'{2). If there exists 
a regular tree language TZ such that {L{Ai) -k R'^) C TZ and TZCl L{Aij) = then 
there is a finite countermodel for <1> — > 3x3y{Init^^'{x) A R{x, y) A Unsafe^^'{y) 

Proof. Let A — {Q,F,d) be a deterministic tree automaton recognizing the tree 
language TZ, i.e. L{A) = TZ. We take QDQi U Qu U Qd U {e} to be domain of 
the required finite model. Here e is a distinct element not in Q U Qi U Qu U Qd- 
Define interpretations as follows. 

— For a ^ Sq [a] = q ^ Q such that — )>'' q is in 6; 

— For 6* € Ep [/e](qi, . ..,qp)^q for any (gi, . ..,qp) ^^ q in S, and [fg]{. . .) = 
e otherwise; 

— Interpretations oilnit^ and /nii^ are defined inductively, as the least subsets 
of pairs, respectively, elements of the domain, satisfying the formulae (1) - 

(3) (and assuming all interpretations above); 

— Interpretations of Unsafe^ and Unsafe^ are defined inductively, as the least 
subsets of pairs, respectively, elements of the domain, satisfying the formulae 

(4) - (6) (and assuming aU interpretations above); 

— Interpretation of T is defined inductively, as the least subsets of triples sat- 
isfying the formulae (7) - (8) (and assuming all interpretations above); 

— Interpretation of R and Init^ is defined inductively, as the least subsets of 
pairs, satisfying the formulae (9) - (11) (and assuming all interpretations 
above) ; 

Such defined a finite model satisfies ^ (by construction). Now we check that 
Sx3y{Init'^'^\x) A R{x, y) A Unsafe^-^^y) is satisfied in the model We have 

1. [/mi'^)] • [R] C {[t] I t £ L{Aj) * R}j} (by the minimality condition on 
interpretations of Init^^^ and R); 



2. {[i] I t e L{Aj) -k R^^} '^ F C Q (by interpretations of terms and condition 

3. [/mt(i)] *[R]CF (by 1 and 2); 

4. [C/nsa/e^^-*] = {[t] \ t S L{Ai])} (by definition of [Unsafe^], in particular by 
the minimality condition); 

5. {[t] I t G L(^c/)} n F = (by condition 7^ n L(A[/) = 0); 

6. Unsafe^^^ n F = (by 4 and 5); 

7. [/mt(i)] • [i?] n Unsafe^^^ = (by 3 and 6); 



4 The case study 

In this section we illustrate FCM method by applying it to the verification of 
Two-way Token protocol. The system consists of finite-state processes connected 
to form a binary tree structure. Each process stores a single bit which represents 
the fact that the process has a token. During operation of the protocol the token 
can be passed up or down the tree. The correctness condition is that no two or 
more tokens ever appear. In parameterized verification we would like to establish 
correctness for all possible sizes of trees. 

We take RTMC-style specification of Two-way Token from [3]. Let S = 
{t,n,T,N} be the alphabet. Here t,n G Sq label processes on the leaves of a 
tree, and T, iV G S2 label processes on the inner nodes of a tree. Further, t, T 
label processes with a token and n, N label processes without tokens. 

The automaton Aj = (Qj, Fj,6i) accepts the initial configurations of the 
protocol, that is the trees with exactly one token. Here Qi = {qo, qi}, Fj = {qi} 
and Si consists of the following transition rules: 

^>" go ^>* qi {qo,qo) -^'^ qi 

(go, go) -^^ go (go,gi) -^^ gi (gi,go) -^^ gi 

The tree transducer D = {Qd,Fd,Su) over S'{2) represents the transitions 
of the protocol. Here Qd = {go, 51,(72, gs}, F = {52} and 5d consists of the 
following transition rules: 



^(",n) q^ 


^(*.«) q^ 


^("^*) ga (go. 


go) ^(^-^^ go 


(go,g2)^(^'^'g2(g2. 


go) ^(^'^^ g2 


(go, go) ^(^^^) gi (ga 


,go)^(^'^)g2 



(go,g3)^(^^^)g2 (go,gi) ^^^^^^ g2 

iq,,qo)^(^^^)q, (90,90)^^^)^3 

The automaton Au = [Qu^Fu.Su) accepts unsafe (bad) configurations of 
the protocol, that is the trees with at least two tokens. Here Qu — {go,gi,g2}, 
Fu = {g2} and 5u consists of the following transition rules: 



(90, go) ^^ 91 (go, 91) 
(go,gi) ^^ 52 (gi,go) 
(90,92) ^^ 92 (92,90) 

(92.91) ^"^ 92 (92,92) 

(90.92) -^^ 92 (92,90) 
(92,91) ^" 92 (92,92) 



-^^ 91 (90,90) - 

s-^ 91 (91,90) - 

>'^ 92 (91,91) 

>'^ 92 (91,92) 



92 (91,91) 
92 (91,92) 

92 



90 
91 

92 

92 

92 
92 



The set <? of the foUowing formulae presents a translation of the verification 
problem. We use the syntax of first-order logic used in Mace4 finite model finder 

m. 



T(n,n,qO) 

T(t,n,ql) 

T(n,t,q3) 

T(x,z,qO) 

T(x, 

T(x,z, 

T(x,z,qO) 

T(x,z,qO) 

T(x,z,q2) 

T(x,z,q3) 

T(x,z,qO) 

T(x,z,qO) 



,ql) 
,qO) 



& T(y,v,qO) 
& T(y,v,qO) 
& T(y,v,ql) 



> 
> 
> 
> 
> 
> 
> 
> 
& T(y,v,qO) -> 



& T(y, 
& T(y, 



,qO) 
,q2) 



& T(y,v,qO) 
& T(y,v,qO) 
& T(y,v,q3) 



T(fT(x,y) 
T(fN(x,y) 
T(fN(x,y) 
T(fN(x,y) 
T(fN(x,y) 
T(fN(x,y) 
T(fT(x,y) 
T(fT(x,y) 
T(fN(x,y) 



,fN(z 
.fT(z 
,fT(z 
,fN(z 
,fN(z 
,fN(z 
,fN(z 
,fN(z 
,fT(z 



,v),ql) 
,v),q2) 
,v),q2) 
,v),qO) 
,v),q2) 
,v),q2) 
,v),q2) 
,v),q2) 
,v),q3) 



'/, Initial states automaton 



Init (n,qO) . 
Init(t,ql) . 

Init(x,qO) & Init(y,qO) 
Init(y,ql) 



Init (x,qO) 
Init (x,qO) 
Init(x,ql) 



Init(y,qO) 
Init(y,qO) 



-> Init(fT(x,y) ,ql) . 
-> Init(fN(x,y),ql). 
-> Init(fN(x,y) ,qO) . 
-> Init(fN(x,y),ql). 



■/, Bad states automaton 



Bad(n,qO) . 

Bad(t,ql) . 

Bad(x,qO) 

Bad(x,qO) 

Bad(x,qO) 

Bad(x,ql) 

Bad(x,qO) 
Bad(x,ql) 
Bad(x,ql) 
Bad(x,ql) 



Bad(y,qO) -> Bad(f N(x,y) ,qO) 

Bad(y,qO) -> Bad(fT(x,y) ,ql) 

Bad(y,ql) -> Bad(f N(x,y) ,ql) 

Bad(y,qO) -> Bad(f N(x,y) ,qO) 

Bad(y,ql) -> Bad(fT(x,y) ,q2) 

Bad(y,qO) -> Bad(fT(x,y) ,q2) 

Bad(y,ql) -> Bad(fN(x,y) ,q2) 

Bad(y,q2) -> Bad(fT(x,y) ,q2) 



Bad(x,q2) & Bad(y,ql) -> Bad(fT(x,y) ,q2) 

Bad(x,q2) & Bad(y,q2) -> Bad(fT(x,y) ,q2) 

Bad(x,ql) & Bad(y,ql) -> Bad(fN(x,y) ,q2) 

Bad(x,qO) & Bad(y,q2) -> Bad(fN(x,y) ,q2) 

Bad(x,q2) & Bad(y,qO) -> Bad(fN(x,y) ,q2) 

Bad(x,ql) & Bad(y,q2) -> Bad(fN(x,y) ,q2) 

Bad(x,q2) & Bad(y,ql) -> Bad(fN(x,y) ,q2) 

Bad(x,q2) & Bad(y,q2) -> Bad(fN(x,y) ,q2) 

T(x,y,q2) -> R(x,y) . 
R(x,y) & R(y,z) -> R(x,z). 

Init(x,ql) -> Initl(x). 
Bad(x,q2) -> Badl(x) . 



According to Proposition [5] and Corollary [T] to establish safety for Two-way 
Token protocol it does suffice to show <? \f 3x3y{{Initl{x) AR{x,y)) ABadl{y)). 
We delegate this task to Mace4 finite model finder and it finds a countermodel for 
# — >■ 3x3y{{Initl{x) AR{x,y)) ABadl{y)) in 0.03s. The parameterized protocol 
is verified. Actual Mace4 input and output can be found in [H] . 

5 Monotonic abstraction and symbolic reachability vc 
FCM 

Regular Tree Model Checking provides with a general method for the verifica- 
tion parameterized protocols for tree-shaped architectures. In [5] a lightweight 
alternative to RTMC was proposed. It utilizes a generic approach to safety ver- 
ification using monotonic abstraction and symbolic reachability applied to tree 
rewriting systems. This generic approach has previously been successfully ap- 
plied to the verification of parameterized linear system [T (as an alternative to 
standard Regular Model Checking) . In this section we demonstrate the fiexibility 
of the FCM approach and show that one can translate safety verification prob- 
lems for parameterized tree-shaped systems formulated using tree rewriting into 
the problem of disproving a first-order formulae using the same basic principles 
(reachability as FO derivability) . For defined translation we show the relative 
completeness of the FCM with respect to monotonic abstraction and symbolic 
reachability and demonstrate its practical efficiency. 

5.1 Parameterized Tree Systems 

The approach of [5] to the verification of parameterized tree systems adopts 
the following viewpoint. A configuration of the system is represented by a tree 



over a finite alpliabet, wliere elements of tlie alpliabet represent tlie local states 
of the individual processes. The behaviors of the system is specified by a set 
of tree rewriting rules, which describe how the processes perform transitions. 
Transitions are enabled by the local states of the process together with the 
states of children and parent processes. 

Definition 3. A tree T over a set of states Q is a pair {S, X), where 

— S is a tree structure (cf. Definitional^) 

— X is a a mapping from S to Q. 

Notice that trees over a set of states are similar to the trees over ranked 
alphabets (Definition [Ij with the only difference is that the same state can label 
the vertices with different number of children (e.g. leaves of the tree and internal 
vertices) . 

In what follows to assume for simplicity of presentation (after [S]) that all 
trees are (no more than) binary, that is every node has either one or two children 
(internal node) or no children (leaf) . It is straightforward to extend all construc- 
tions and results to the general case of not necessarily binary trees. Notice that 
configurations of the tree systems will be modeled by complete binary trees. 
Incomplete binary trees (which may contain nodes with one child) will appear 
only in the rewrite rules. 

Definition 4. A parameterized tree system V is a tuple {Q,R), where Q is a 
finite set of states and R C T{Q x Q) is a finite set of rewrite rules. 

For each rule r = (S*, A) G -R we associate two trees, called left and right trees 
of r. We define lhs{r) = {S,lhs{X)) and rhs{r) = {S,rhs{X)), where lhs{r) and 
rhs{r) are left, respectively right projection of A. 

We will denote (labeled) binary trees by bracket expressions in a standard 
way. 

Example 1. Let Q = {go, 91,92} then r = (go,gi)((gi, gi), (92,90)) G T{Q xQ) is 
a rewriting rule. This rule has •(•,•) as it tree structure with one root and two 
leaves. The pairs of states (go, 9i), (gi, gi), (92, go) label the root and two leaves 
respectively. We also have lhs{r) = go(gi,g2) and rhs{r) = gi(gi,go). 

Example 2. Let Q be as above then (gi, g2)((go, gi)) is a rewriting rule with the 
structure of incomplete binary tree •(•) 

Given a parameterized tree system V — {Q, R) define one step transition 
relation ^pC T{Q) x T{Q) as follows: ti ^-p T2 iff for some r € R ti con- 
tains lhs{r) as a subtree and T2 obtained from ti by replacing this subtree with 
rhs{r). Since lhs{r) and rhs{r) have the same tree structure, the operation of 
replacement and one step transition relation are well-defined. 

Example 3. Let P = (Q,i?) withQ = {go, gi,g2} and i? = {(go,gi)((gi, gi), (g2,go))}- 
Then we have (with the subtrees refered to in the definition of ^-p inderlined): 



- 9o(gi,<Z2) ^v gi(gi,go); 

- g2( go(.gi,g2) ,gij ^v g2( gi(gi,go ),gi); 

- Qo{qi(qi,qo},q2iqo,q2)) =^v qi(qiiqi > 9o ) , £o (<zo , <Z2 ) ) ; 

Denote transitive and reflexive elosure of =>p by =>p . 

Definition 5. (embedding) For ti — (^ijAi) and T2 = (S'2,A2) an injective 
function f : Si —> S2 is called embedding iff 

- s ■ b €z S implies f{s) ■ b < f{s ■ b) for any s £ S 

- Xiis) = X^ifis)) 

We use Ti ^/ T2 to denote tliat / is embedding of ti into T2 and write ri ^ T2 
iff tliere exists / such, tliat ti ^/ T2. 

Using embeddability relation -< allows to describe infinite families of trees by 
finitary means. 

We call a set of trees T C T{Q) finitely based iff there is a finite set B C T{Q) 
such that T = {t \ 3t' G Bt' < r}. Notice that finitely based set of trees are 
upwards closed with respect to ^, that is r G T and t <t' implies r' G T. 

Many safety verification problems for parameterized tree system can be re- 
duced to the following coverability problem. 

Problem 2. Given a parameterized tree system V = {Q,R), a. regulat tree lan- 
guage Init C T{Q) of initial configurations and finitely based set of unsafe 
configurations Unsafe C T{Q). Does r 7^^ r' hold for all r e Init and all 
r' S Unsafe? 

Note 1. We formally defined regular tree languages over ranked alphabets. Reg- 
ular tree languages over (unranked) states can be defined in a various ways. We 
will fix a particular convention in Assumption 1 below. 

Now we briefly outline the monotonic abstraction approach f5| to verification. 
Given the coverability problem above [5] defines the monotonic abstraction =>p 
of the transition relation ^-p as follows. We have ti ^p T2 iff there exists 
a tree r' such that r' < ti and r' =^7? T2. It is clear that such defined =>p 
is an over-approximation of =>-p. To establish the safety property, i.e. to get 
a positive answer to the question of Problem [2l [5] proposes using a symbolic 
backward reachability algorithm for monotonic abstraction. Starting with an 
upwards closed (wrt to -<) set of unsafe configuration Unsafe the algorithm 
proceeds iteratively with the computation of the set of configurations backwards 
reachable along =>p from Unsafe: 

- Uq = Unsafe 

- U,+i = [/, U Pre{U,) 

where Pre{U) — {r | 3t' G t/Ar =>p r'}. Since the relation ^ is a well quasi- 
ordering [13] this iterative process is guaranteed to stabilize, i.e. Un+i = Un = U 
for some finite n. During the computation each Ui is represented symbolically 
by a finite set of generators. Once the process stabilized on some U the check is 
preformed on whether InitOU — ^. If this condition is satisfied then the safety is 
established, for no bad configuration can be reached from initial configurations 
via => —V'^ and, a fortiori, via =^p. 



5.2 Parameterized Tree systems to FCM 

Here we show how to translate the coverabihty problem (Probleni[2]) into the task 
of disproving a first-order formula and demonstrate the relative completeness of 
the FCM method with respect to monotonia abstraction approach. 

Assume we are given an instance of the coverabihty problem, that is 

— a parameterized tree system V — (Q, R), 

— a regular tree language Init of initial configurations, given by a tree automa- 
ton Ai = {Qi,F,S), and 

— finitely based set of unsafe configurations Unsafe given by a finite set of 
generators Un C T{Q). 

For a set of states Q let Tq — {fq | g G Q} U {e} be the set of corresponding 
binary functional symbols extended with a distinct functional symbol e of arity 
(constant). 

For any complete binary tree r G T{Q) define its term translation tj- in 
vocabulary J-q inductively: 

— t-r = fq{e, e) if T is a tree with one node labeled by a state q; 

— tr — /g(^ri,^r2) if the root of T has two children and r = q(Ti,T2); 

For any not necessarily complete binary tree t £ T{Q x Q) define inductively 
its translation St as a set of pairs of terms in vocabulary J-g : 

— Sr = {(/gi (e, e), /^^(e, e))} if r is a tree with one node labeled with states 
(91, 92); 

— St = {{fqi{Pl,P2)Jq2iP3,P4)) \ {Pl, Pd.) ^ Sri,(P2,P4) G S^J if the rOOt 

of T is labeled by {qi,q2) and it has two children ti and T2, i.e. if r = 

(?1,92)(ti,T2); 

— Sr = {(/9i(pi,e),/g2(p2,e)} I (pi,P2) G s^JU{(/5i(e,pi),/,2(e,p2)) | (pi,P2)g 
S1-1} if the root of r is labeled by (51,^2) and it has one child n, i.e. if 

T = ('?1,'72)(ti). 

For (pi, y02) G St wb dcuotc by pf^'^ (by pf^") a generalized term obtained by re- 
placement of all occurences of constant e in pi (in p2, respectively,) with distinct 
variables. 

Now we define first-order translation of the set of rules R as the following set 
4>jj of first-order formulae, which are all assumed to be universally closed: 

1. R{pf^^\ P2^") for all r G i? and {pi,p2) G Sr rev^rriting axioms 

2. R{x,x) reflexivity axiom 

3. R{x, y) A R{y, z) -^ R{x, z) transitivity SLxiom 

4. R{x,y) AR{z,v) -^ R{fg{x, z), fg{y,v)) for all q e Q 

congruence axioms 

In 1) we additionally require that generalizations pf"^" and P2'^" should be 
consistent, that means the variables used in the generalizations are the same in 
the same positions. 

Now for simplicity we make the following 



Assumption 1 An automaton Aj = {Qi,Fj,Sj) is given over ranked alphabet 

:fq. 

We define the translation of A[ as the set <?/ of first-order formulae 

5. Ieifqie,e)) for all -^^ 9' and (6*', 6*') ->^« 9 in (5/; 

6. leXx) A leM ^ hAhi^.v)) for all (0i,02) ^-^^ ^s) in <5/. 

7. \/eeF,Ie{x) ^ Init{x) 

Let Ai7 = {QutFjj,5jj) is a tree automaton recognizing finitely based set 
Unsafe. Then its translation <?[/ defined analogously to the translation of A/: 

8. Ue{fq{e,e)) for ah -^^ 9' and {9', 9') -^f" 9 in Su; 

9. C/ei(x) A C/e,(2/) ^ t/e3(/«(a:,2/)) for ah (0i,(?2) ^^' ^3) in (5c/. 
10. \/0^FuUe{x) -^ Unsafe{x) 

Proposition 3. (Adequacy of encoding) For an instance of the coverability prob- 
lem and the translation defined above the following holds true: 

1. For any Ti,T2 £ T{Q) if ti =>p T2 then <Pfi h R{trj^,tr2) 

2. For any r G I nit <Pi h Initifr); 

3. For any r £ Unsafe ^jj h Unsafe{tr) 

Proof, proceeds by straightforward inspection of definitions. 

Corollary 2. (safety verification) If<l>ii\J'PiL)(l>u \/ 3x3ylnit{x) AUnsafe{y) A 
R{x, y) then the coverability problem has a positive answer, that is r 7^^ t' holds 
for all T £ Init and all r' £ Unsafe. 

Theorem 2. (relative completeness) Given a parameterized tree system V = 
{Q,R), the tree regular language of initial configurations Init, finitely based set 
of unsafe configurations Unsafe. Assume the backward symbolic reachability al- 
gorithm for monotonic abstraction described above terminates with the fixed-point 
U — Un+i ~ Un for some n and Init fl C/ = 0. Then there exists a finite model 
for <I>rA<I>i AfPu /^ -^{3x3ylnit{x) A Unsafe{y) A R{x, y)). 

Proof. First we observe that since the fixed-point U has a finite set of generators 
it is a regular tree language. Let Ajj* = {Qu* iFu* t^v) be a deterministic tree 
automaton recognizing U . We take Qu* as a domain of the required model. 
Interpretations of all functional symbols from Fq are given by Sjj* '■ 

- [f,i]{0u02) = 03 iff (9^,92) ^^- 93 is in Su* 

— [e] = 9, where — >-'^ 9 is in Su» . 

Interpretations of predicates R, le, Init, Ug, Unsafe are defined inductively as 
the least sets of tuples, or elements of the domains satisfying the axioms 1- 
4, 5-7, 8-10, respectively. That concludes the definition of the model which we 
denote by Ai. We have Ai \= (1>r A <?/ A <Pu by construction. Now we check that 
A4 ^ -^{3x3ylnit{x) A Unsafe{y) A R{x,y)) is satisfied in the model. We have 

1. [Init] -k [R] C {[t] I 3t' £ Init t' =^p r} (by the minimality conditions on 
interpretations of Init and R) 

2. {[t] I 3t' £ Init t' ^^ r} C Fu* =Q - Fu- (by assumption U D Init ^ 0) 

3. [Unsafe] C Fu* (by Unsafe C U); 

4. {[Init] * [R]) n [Unsafe] = (by 1-3). 



5.3 The case study, II 

In this section we illustrate the discussed variation of the FCM method by ap- 
plying it again to the verification of Two-way Token Protocol, but specified 
differently. The specification of this protocol using trees over states and tree 
rewriting is taken from ^. The set of states Q = {n,t}, where n and t denote 
local states 'no token' and 'token', respectively. The set of R of rewriting rules 
consists of the following rules: 

- (i,n)((n,t)); 

- {n,t){{t,n)); 

The set Init of initial configurations consists all complete binary trees over 
Q with exactly one token. The set Unsafe of unsafe configuration consists of all 
complete binary trees over Q with at least two tokens. The set of the formulae 
<P below is a first-order translation (in Mace4 syntax) of the verification task. 

'/, rewriting rules 

R(ft(fn(y,z) ,x) ,fn(ft(y,z) ,x)) . 
R(ft(x,fii(y,z)),fn(x,ft(y,z))). 
R(fn(ft(y,z) ,x) ,ft(fn(y,z) ,x)) . 
R(fn(x,ft(y,z)),ft(x,fn(y,z))). 

'/, reflexivity 

R(x,x) . 

"/.congruence 

(R(x,y) & R(z,v)) -> R(fn(x,z) ,fn(y,v)) . 

(R(x,y) & R(z,v)) -> R(ft(x,z) ,ft(y,v)) . 

■/, transitivity 

(R(x,y) & R(y,z)) -> R(x,z) . 

'/, Initial states automaton 

Il(fn(e,e)). 

(Il(x) & Il(y)) -> Il(fn(x,y)). 

(Il(x) & Il(y)) -> Init(ft(x,y)) . 

(Init(x) k Il(y)) -> Init (fn(x,y) ) . 

(Il(x) & Init(y)) -> Init(fn(x,y)) . 

'/, Unsafe states automaton 

Bl(ft(x,y)). 

Bl(x) -> Bl(fn(x,y)) . 

Bl(y) -> Bl(fn(x,y)). 

Bl(x) -> Unsafe(ft(x,y)) . 

Bl(x) -> Unsafe(ft(y,x)) . 



Bl(x) & Bl(y) -> Unsafe(fn(x,y)) . 
Bl(x) & Bl(y) -> Unsafe(ft(x,y)) . 
Unsafe (x) -> Unsaf e(fn(x,y) ) . 
Unsafe (x) -> Unsaf e(fn(y,x) ) . 
Unsafe(x) -> Unsaf e(ft(x,y) ) . 
Unsafe (x) -> Unsaf e (ft (y,x) ) . 



Now, in order to establish safety, it is sufficient to show that <? \f 3x3yInit{x)A 
R{x, y)AUnsafe{y). Finite model finder Mace4 finds a model for <PA^{3x3yInit(x)A 
R{x,y) A Unsaf e{y)) in 0.04s. 



6 Experimental results 

We have applied both presented versions of FMC method to the verification of 
several parameterized tree-shaped systems. The tasks specified in RTMC tra- 
dition were taken from [3] and the first translation was used. To compare with 
monotonic abstraction based methods we used the second translation for the 
tasks from [S]. 

In the experiments we used the finite model finder Mace4f5D] within the package 
Prover9-Mace4, Version 0.5, December 2007. The system configuration used in 
the experiments: Microsoft Windows XP Professional, Version 2002, Intel(R) 
Core(TM)2 Duo CPU, T7100 @ l.SGhz 1.79Ghz, 1.00 GB of RAM. The time 
measurements are done by Mace4 itself, upon completion of the model search it 
communicates the CPU time used. The table below lists the parameterized tree 
protocols and shows the time it took Mace4 to find a countermodel and verify a 
safety property. The time shown is an average of 10 attempts. We also show the 
time reported on the verification of the same protocols by alternative methods. 



6.1 FCM vs RTMC 



Protocol 


Time 


Time reported in |6]* 


Token 


0.02s 


0.06s 


Two-way Token 


0.03s 


0.09s 



* the system configuration used in 6 was Intel Centrino 1.6GHZ with 768MB 
of RAM 

Notice that [B] discusses different methods for enhancement of RTMC within 
the abstract-check-refine paradigm and we included in the table the best times 
reported in [6] for each verification problem. 



6.2 FCM vs monotonic Abstraction 



Protocol 


Time 


Time reported in [5]* 


Token 


0.02s 


Is 


Two-way Token 


0.03s 


Is 


Percolate 


0.02s 


Is 


Leader Election 


0.03s 


Is 


Tree-arbiter 


0.02s 


37s 


IEEE 1394 


0.04s 


Ihl5m25s 



* the system configuration used in [^ was dual Opteron 2. 8 GHZ with 8 GB 
of RAM 

All specifications used in the experiments and Mace4 output can be found in 

IH. 



7 Related work 



As mentioned Section 1 the approach to verification using the modeling of 
protocol executions by first-order derivations and together with countermodel 
finding for disproving was introduced within the research on the formal analysis 
of cryptographic protocols f p3] . [22] . [9] . [TT]. [lO]). 

This work continues the exploration of the FCM approach presented in 
|14|15|16|17|18|19] . In [17] (which is an extended version of [15]) it was shown 
that FCM provides a decision procedure for safety verification for lossy channel 
systems, and that FCM can be used for efficient verification of parameterised 
cache coherence protocols. The relative completeness of the FCM with respect 
to regular model checking and methods based on monotonic abstraction for lin- 
ear parameterized systems was established in [T5] (which is an extended version 
of the abstract [H]). The relative completeness of the FCM with respect to 
tree completion techniques for general term rewriting systems is shown in [T5] . 
Our treatment of tree rewriting in 15.11 can be seen as a particular case of term 
rewriting considered in [19; with slightly different translation of tree automata. 
Detailed comparison and/or unified treatment of FCM vs Tree Completion vs 
RTMC vs Monotonic Abstraction to be given elsewhere. Here we notice only 
that the reason for FCM to succeed in verification of safety of various classess of 
infinite-state and parameterized systems is the presence of regular sets of config- 
urations (invariants) covering all reachable configurations and disjoint with the 
sets of unsafe configurations. 

In a more general context, the work we present in this paper is related to the 
concepts of proof by consistency [T^j , and inductionless induction [5] and can be 
seen as an investigation into the power of these concepts in the particular setting 
of the verification of parameterized tree systems via finite countermodel finding. 



8 Conclusion 

We have shown how to apply generic finite model finders in the parameterized 
verification of tree-shaped systems, have demonstrated the relative completeness 
of the method with respect to regular tree model checking and to the methods 
based on monotonic abstraction and have illustrated its practical efficiency. Fu- 
ture work includes the investigation of scalability of FCM, and its applications 
to software verification. 
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